Merge pull request #268 from redhatci/gitops-ztp-spokes

Gitops ztp spokes
redhatci · Jun 11, 2024 · 9cee510 · 9cee510
2 parents 54ec4ad + 82d6c32
commit 9cee510
Show file tree

Hide file tree

Showing 10 changed files with 104 additions and 46 deletions.
diff --git a/roles/configure_ztp_gitops_apps/README.md b/roles/configure_ztp_gitops_apps/README.md
@@ -23,4 +23,9 @@ Role Variables
 * ztp_site_generator_image
 * ztp_site_generator_version
 
+czga_podman_runner_host | string | no | podman-runner | Identity of the inventory host pulling the sites template generator image.
+czga_clusters_namespace | string | no | clusters-sub | Namespace for the site config resources.
+czga_kubeconfig_path | string | no | *omit* | Path to the ACM hub kubeconfig file.
+czga_ocp_pull_secret | string | yes | | Pull secret for the Spoke cluster.
+czga_policies_namespace | string | no | policies-sub | Namespace for the policy generator template resources. It can not be the sabe as the clusters namespace.
 czga_oc_tool_path | string | no | {{ oc_tool_path | default('/usr/local/bin/oc) }} | Path to the OpenShift Command Line Interface binary.
diff --git a/roles/configure_ztp_gitops_apps/defaults/main.yaml b/roles/configure_ztp_gitops_apps/defaults/main.yaml
@@ -1,3 +1,7 @@
 ---
 
+czga_podman_runner_host: podman-runner
+czga_clusters_namespace: clusters-sub
+czga_kubeconfig_path: "{{ omit }}"
+czga_policies_namespace: policies-sub
 czga_oc_tool_path: "{{ oc_tool_path | default('/usr/loca/bin/oc') }}"
diff --git a/roles/configure_ztp_gitops_apps/tasks/main.yaml b/roles/configure_ztp_gitops_apps/tasks/main.yaml
@@ -3,17 +3,17 @@
 # Create site and policies in ArgoCD
 
 - name: Run all comands in the podman runner
-  delegate_to: podman-runner
+  delegate_to: "{{ czga_podman_runner_host }}"
   block:
 
     - name: Create temporary directory for cloning the repo
-      tempfile:
+      ansible.builtin.tempfile:
         state: directory
       register: temp_dir
 
     - name: Copy kubeconfig to remote system
       ansible.builtin.copy:
-        src: "{{ kubeconfig_path }}"
+        src: "{{ czga_kubeconfig_path }}"
         dest: "{{ temp_dir.path }}/kubeconfig"
         mode: "0644"
 
@@ -24,68 +24,89 @@
         mode: '0775'
 
     - name: "Create a pull-secret file for podman"
-      copy:
-        content: "{{ ocp_pull_secret }}"
+      ansible.builtin.copy:
+        content: "{{ czga_ocp_pull_secret }}"
         dest: "{{ temp_dir.path }}/temp-pull-secret.json"
         mode: "0644"
 
     # Please see:
     # https://docs.openshift.com/container-platform/4.12/scalability_and_performance/ztp_far_edge/ztp-manual-install.html
     - name: Download ZTP cluster and policies applications from ztp site generator
-      shell: |
+      ansible.builtin.shell: |
         set -o pipefail
         podman run --authfile "{{ temp_dir.path }}"/temp-pull-secret.json --rm --log-driver=none "{{ ztp_site_generator_image }}:{{ ztp_site_generator_version }}" extract /home/ztp --tar | tar x -C "{{ temp_dir.path }}"/ztp/
 
     - name: Set the proper permissions
-      shell: |
+      ansible.builtin.shell: |
         sudo chown "{{ ansible_user }}":"{{ ansible_user }}" -R "{{ temp_dir.path }}"/ztp/
 
     ## Configure clusters
+    - name: Replace namespace in clusters-app.yaml
+      ansible.builtin.replace:
+        path: "{{ temp_dir.path }}/ztp/argocd/deployment/clusters-app.yaml"
+        regexp: "clusters-sub"
+        replace: "{{ czga_clusters_namespace }}"
+
     - name: Replace path in clusters-app.yaml
-      replace:
+      ansible.builtin.replace:
         path: "{{ temp_dir.path }}/ztp/argocd/deployment/clusters-app.yaml"
         regexp: "path.*"
         replace: "path: {{ ztp_sites_path }}"
 
     - name: Replace repoURL in clusters-app.yaml
-      replace:
+      ansible.builtin.replace:
         path: "{{ temp_dir.path }}/ztp/argocd/deployment/clusters-app.yaml"
         regexp: "repoURL.*"
         replace: "repoURL: {{ ztp_sites_gitops_repo }}"
 
     - name: Replace targetRevision in clusters-app.yaml
-      replace:
+      ansible.builtin.replace:
         path: "{{ temp_dir.path }}/ztp/argocd/deployment/clusters-app.yaml"
         regexp: "targetRevision.*"
         replace: "targetRevision: {{ ztp_sites_branch }}"
 
     - name: Allow empty in the clusters-app.yaml
-      lineinfile:
+      ansible.builtin.lineinfile:
         path: "{{ temp_dir.path }}/ztp/argocd/deployment/clusters-app.yaml"
         line: "      allowEmpty: true"
         insertafter: selfHeal.*
 
     ## Configure policies
+    - name: Replace namespace in policies-app.yaml
+      ansible.builtin.replace:
+        path: "{{ temp_dir.path }}/ztp/argocd/deployment/policies-app.yaml"
+        regexp: "policies-sub"
+        replace: "{{ czga_policies_namespace }}"
+
+    - name: Add namespace to the policies-app-project.yaml
+      ansible.builtin.lineinfile:
+        path: "{{ temp_dir.path }}/ztp/argocd/deployment/policies-app-project.yaml"
+        line: "{{ item }}"
+        insertafter: destinations.*
+      loop:
+        - "  - namespace: '{{ czga_policies_namespace }}'"
+        - "    server: '*'"
+
     - name: Replace path in policies-app.yaml
-      replace:
+      ansible.builtin.replace:
         path: "{{ temp_dir.path }}/ztp/argocd/deployment/policies-app.yaml"
         regexp: "path.*"
         replace: "path: {{ ztp_policies_path }}"
 
     - name: Replace repoURL in policies-app.yaml
-      replace:
+      ansible.builtin.replace:
         path: "{{ temp_dir.path }}/ztp/argocd/deployment/policies-app.yaml"
         regexp: "repoURL.*"
         replace: "repoURL: {{ ztp_policies_gitops_repo }}"
 
     - name: Replace targetRevision in policies-app.yaml
-      replace:
+      ansible.builtin.replace:
         path: "{{ temp_dir.path }}/ztp/argocd/deployment/policies-app.yaml"
         regexp: "targetRevision.*"
         replace: "targetRevision: {{ ztp_policies_branch }}"
 
     - name: Allow empty in the policies-app.yaml
-      lineinfile:
+      ansible.builtin.lineinfile:
         path: "{{ temp_dir.path }}/ztp/argocd/deployment/policies-app.yaml"
         line: "      allowEmpty: true"
         insertafter: selfHeal.*
@@ -94,7 +115,7 @@
     ## Add adaptation due to https://issues.redhat.com/browse/CNF-7840
     ## based on https://redhat-internal.slack.com/archives/C02EG99MR9C/p1679006883470389?thread_ts=1678887461.410819&cid=C02EG99MR9C
     - name: Add ClusterImageSet to the app-project.yaml
-      lineinfile:
+      ansible.builtin.lineinfile:
         path: "{{ temp_dir.path }}/ztp/argocd/deployment/app-project.yaml"
         line: "{{ item }}"
         insertafter: clusterResourceWhitelist.*
@@ -103,30 +124,40 @@
         - "  - group: hive.openshift.io"
 
     - name: Add ClusterImageSet to the policies-app-project.yaml
-      lineinfile:
+      ansible.builtin.lineinfile:
         path: "{{ temp_dir.path }}/ztp/argocd/deployment/policies-app-project.yaml"
         line: "{{ item }}"
         insertafter: clusterResourceWhitelist.*
       loop:
         - "    kind: ClusterImageSet"
         - "  - group: hive.openshift.io"
 
-    - name: Run the policies and cluster apps
-      shell: |
-        {{ czga_oc_tool_path }} --kubeconfig="{{ temp_dir.path }}/kubeconfig" apply -k "{{ temp_dir.path }}/ztp/argocd/deployment"
-
     - name: Replace image container URL in argocd-openshift-gitops-patch.json
-      replace:
+      ansible.builtin.replace:
         path: "{{ temp_dir.path }}/ztp/argocd/deployment/argocd-openshift-gitops-patch.json"
         regexp: "{{ ztp_site_generator_image }}.*/"
         replace: "{{ ztp_site_generator_image }}:{{ ztp_site_generator_version }}"
 
-    - name: Apply ArgoCD changes
-      shell: |
+    - name: Patch the ArgoCD instance to install the GitOps ZTP plugin
+      ansible.builtin.shell: |
         {{ czga_oc_tool_path }} --kubeconfig="{{ temp_dir.path }}/kubeconfig" patch argocd openshift-gitops -n openshift-gitops --patch-file "{{ temp_dir.path }}/ztp/argocd/deployment/argocd-openshift-gitops-patch.json" --type=merge
 
+    - name: Disable proxy addon
+      community.kubernetes.k8s:
+        api_version: multicluster.openshift.io/v1
+        kubeconfig: "{{ temp_dir.path }}/kubeconfig"
+        kind: MultiClusterEngine
+        name: multiclusterengine
+        merge_type:
+          - merge
+        definition: "{{ lookup('file', temp_dir.path + '/ztp/argocd/deployment/disable-cluster-proxy-addon.json') | from_json }}"
+
+    - name: Run the policies and cluster apps
+      ansible.builtin.shell: |
+        {{ czga_oc_tool_path }} --kubeconfig="{{ temp_dir.path }}/kubeconfig" apply -k "{{ temp_dir.path }}/ztp/argocd/deployment"
+
     - name: Remove the temporary directories
-      file:
+      ansible.builtin.file:
         path: "{{ temp_dir.path }}"
         state: absent
       when: temp_dir.path is defined
diff --git a/roles/gitops_configure_repo/README.md b/roles/gitops_configure_repo/README.md
@@ -7,15 +7,17 @@ Requirements
 ------------
 
 * ArgoCD/GitOps already configured
-* The repository MUST be hosted in GitLab
-* The SSH key has permissions to read from GitLab repository.
+* The repository MUST grant access through SSH keys.
+* The SSH key has permissions to read from the Git repository.
 
 Role Variables
 --------------
 
 Variable | Type | Required | Default | Description
 ---------|------|-----------|---------|------------
-gitlab_ssh_known_hosts | String | yes | | Should be the ssh known hosts. It is required by ArgoCD when working with a SSH key.
+gcr_ssh_key_path | String | yes | | Path to the SSH private key file used to log into the GitOps manifest repository.
+gcr_ssh_known_hosts | String | no | "" | Should be the ssh known hosts. It is required by ArgoCD when working with a SSH key.
+gcr_ztp_gitops_repo | String | yes | | URL to the ZTP GitOps Git repository.
 
 Dependencies
 ------------

diff --git a/roles/gitops_configure_repo/defaults/main.yaml b/roles/gitops_configure_repo/defaults/main.yaml
@@ -1,2 +1,2 @@
 ---
-gor_oc_tool_path: "{{ oc_tool_path | default('/usr/local/bin/oc') }}"
+gcr_ssh_key_path: "{{ lookup('env', 'HOME') }}/.ssh/id_rsa"
diff --git a/roles/gitops_configure_repo/tasks/main.yaml b/roles/gitops_configure_repo/tasks/main.yaml
@@ -1,6 +1,14 @@
 ---
 
-- name: Add gitlab ssh key to argoCD
+- name: Assert the required variables are defined
+  ansible.builtin.assert:
+    that:
+      - gcr_ssh_key_path is defined
+      - gcr_ssh_key_path | length > 0
+      - gcr_ztp_gitops_repo is defined
+      - gcr_ztp_gitops_repo | length > 0
+
+- name: Add Git repository SSH key to argoCD
   community.kubernetes.k8s:
     api_version: v1
     kind: ConfigMap
@@ -11,12 +19,15 @@
         app.kubernetes.io/name: argocd-cm
         app.kubernetes.io/part-of: argocd
       data:
-        ssh_known_hosts: |
-          {{ gitlab_ssh_known_hosts }}
+        gcr_ssh_known_hosts: |
+          {{ gcr_ssh_known_hosts }}
+  when: gcr_ssh_known_hosts is defined
+  no_log: true
 
 - name: Register key
-  ansible.builtin.command: cat "{{ gitlab_key_path }}"
-  register: gitlab_key
+  ansible.builtin.set_fact:
+    gcr_ssh_key: "{{ lookup('file', gcr_ssh_key_path) }}"
+  no_log: true
 
 - name: Create temporary template directory
   ansible.builtin.tempfile:
@@ -32,18 +43,8 @@
 
 - name: Apply ssh private repo
   community.kubernetes.k8s:
-    api_version: v1
-    kind: Secret
-    name: private-repo
-    namespace: openshift-gitops
-    resource_definition:
-      labels:
-        argocd.argoproj.io/secret-type: repository
-      stringData:
-        type: git
-        url: "{{ ztp_gitops_repo }}"
-        sshPrivateKey: |
-          {{ gitlab_key.stdout | indent(4) }}
+    src: "{{ temp_dir.path }}/ssh_private_repo.yaml"
+  no_log: true
 
 - name: Remove temporary directory
   ansible.builtin.file:

diff --git a/roles/gitops_configure_repo/templates/ssh_private_repo.yaml.j2 b/roles/gitops_configure_repo/templates/ssh_private_repo.yaml.j2
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-repo
+  namespace: openshift-gitops
+  labels:
+    argocd.argoproj.io/secret-type: repository
+stringData:
+  type: git
+  url: {{ gcr_ztp_gitops_repo }}
+  sshPrivateKey: |
+    {{ gcr_ssh_key | indent(4)}}
diff --git a/roles/install_operator_gitops/README.md b/roles/install_operator_gitops/README.md
@@ -19,6 +19,7 @@ metallb | boolean | no | true | Set it to true to modify the Provisioning resour
 database_storage_request | bit size | no | 20Gi | Database storage size for the AgentService.
 filesystem_storage_request | bit size | no |  20Gi | Filesystem storage size for the AgentService.
 image_storage_request | bit size | no | 100Gi | Image storage for the AgentService.
+rhcos_images | string | no | null | Custom RHCOS image for the AgentService.
 iog_configure_only | boolean | no | false | Set it to skip installing the Gitops Operator and run only the configuration actions.
 iog_oc_tool_path | string | no | {{ oc_tool_path | default('/usr/local/bin/oc') }} | Path to the OpenShift Command Line Interface binary.
 

diff --git a/roles/install_operator_gitops/defaults/main.yaml b/roles/install_operator_gitops/defaults/main.yaml
@@ -3,6 +3,7 @@ metallb: true
 database_storage_request: 20Gi
 filesystem_storage_request: 20Gi
 image_storage_request: 100Gi
+rhcos_images: null
 
 iog_configure_only: false
 iog_oc_tool_path: "{{ oc_tool_path | default('/usr/local/bin/oc') }}"
diff --git a/roles/install_operator_gitops/tasks/main.yaml b/roles/install_operator_gitops/tasks/main.yaml
@@ -40,6 +40,7 @@
           resources:
             requests:
               storage: "{{ image_storage_request }}"
+        osImages: "{{ rhcos_images }}"
 
 - name: Optionally install the openshift-gitops-operator
   when: not (iog_configure_only | bool)